Friday, 2017-08-04

*** gcb has joined #openstack-tc03:36
openstackgerritAlexander Chadin proposed openstack/governance master: Add watcher-tempest-plugin to watcher project
openstackgerritMerged openstack/governance master: Update py35 goal status for nova
openstackgerritMerged openstack/governance master: Add public cloud WG.
*** sdague has joined #openstack-tc09:42
*** dtantsur|afk is now known as dtantsur09:55
*** openstackgerrit has quit IRC10:18
*** gcb has quit IRC12:56
*** marst has joined #openstack-tc13:58
*** hongbin has joined #openstack-tc14:00
*** emagana has joined #openstack-tc15:08
*** dtantsur is now known as dtantsur|afk15:46
*** marst has quit IRC16:16
*** marst_ has joined #openstack-tc16:16
*** openstack has joined #openstack-tc17:29
*** emagana has quit IRC18:03
*** emagana has joined #openstack-tc18:04
lbragstadcurious if anyone from the TC would be interested in hearing about an interesting interop case we hit in keystone18:09
lbragstadlooking for advice on approaching a bug fix and if it requires a API version bump18:10
*** morgan has joined #openstack-tc18:10
* morgan looks for lbragstad 18:10
lbragstadmorgan: i just asked about 30 seconds before you joined :)18:10
lbragstadwe have a bug in keystone that'd we like to fix
openstackLaunchpad bug 1705081 in OpenStack Identity (keystone) "DELETE project API is failing in forbidden(403) error message" [High,Triaged] - Assigned to prashkre (prashkre)18:12
lbragstadthe net of it is:18:12
lbragstada deployment uses sql for storing resources like project/domains and it uses ldap for all identity information (e.g. users and groups)18:13
lbragstadsince users have an attribute called `default_project_id`, keystone has a callback that is invoked when a project is deleted to go through the identity backend and unset all users who might have that project as their default project id18:13
lbragstadthat way users aren't mislead about having authorization about a project that doesn't even exist18:13
lbragstadthis works fine and dandy for SQL as the resource and identity backends18:14
lbragstadbut when the identity backend is LDAP - a DELETE /v3/projects/{project_id} results in a 40318:14
lbragstadthe 403 is a result of the callback trying to "unset" project ids in the identity backend - which for ldap is read-only and raises a 40318:15
lbragstadi guess the question is - can we fix this without a version bump (keystone hasn't implemented microversions yet)18:15
lbragstador is there another approach we can take to make it so DELETE /v3/projects/{project_id} doesn't result in a 403 in deployments setup this way18:16
morganthe reason for the request to fix w/o a version bump is that it behaves differently depending on backend config. if we can't we have a solution that is really ugly, what ^ lbragstad just said18:16
dhellmannthat sounds like a question we would refer to the api-wg18:16
dhellmannyeah, it's a shame the deployer choice is causing API behavior differences18:17
morgankeystone has done a relatively good job of avoiding that trap.18:17
morganbut sometimes we have edge cases like this18:17
* dhellmann nods18:17
lbragstadunfortunately =/18:17
morganthat being said, this is a problem that cropped up within the last couple releases18:17
morganwhen we removed read/write ldap18:18
lbragstadcorrect - we took a much more opinionated stance at that point18:18
morganit always happened with r/o ldap, but very very few deployments used the r/o driver18:18
morganit required a lot of extra config work to do it. and it would have raised a 5XX error back then if ldap was read-only but not set as such18:18
morganso, basically this fix would be "fixing" an api break that snuck in -18:19
dhellmannyeah, it makes sense to me. like I said, I would confer with the api-wg to see if they have guidance18:20
morganlbragstad: this sounds like a -ml topic18:21
morganlbragstad: to me.18:21
lbragstaddhellmann: morgan ack - thanks for the advice18:21
morganso we can get wg/tc input on the record (not that i don't trust dhellmann, just wider audience and not needing to chase people on irc)18:21
dhellmannit's also good to have the precedent in a searchable form for the next person to run into something like this18:22
morgani get the feeling this is going to be a "fix it, make it consistently right"18:22
morganbut, *eh* never no18:22
morgancrud i can't type today18:22
*** openstack has joined #openstack-tc18:28
lbragstadmorgan: dhellmann done
*** emagana has quit IRC20:53
*** emagana has joined #openstack-tc20:54
*** emagana has quit IRC20:59
*** sdague has quit IRC21:08
*** emagana has joined #openstack-tc21:14
*** emagana has quit IRC22:23
*** emagana has joined #openstack-tc22:24
*** marst_ has quit IRC22:24
*** emagana has quit IRC22:29
*** emagana has joined #openstack-tc22:43
*** emagana has quit IRC22:43
*** emagana has joined #openstack-tc22:44
*** emagana has quit IRC22:47
*** hongbin has quit IRC23:19
*** lbragstad has quit IRC23:22

Generated by 2.15.3 by Marius Gedminas - find it at!